Hi,
I am a security researcher at Carnegie Mellon University, and my team
has found thousands of crashes in binaries downloaded from debian
wheeze packages. After contacting [email protected], Don Armstrong
advised us to contact you before submitting ~1.2K bug reports to the
Debian BTS using [email protected] (to avoid spamming
debian-bugs-dist).
We found the bugs using Mayhem [1], an automatic bug finding system
that we've been developing in David Brumley's research lab for a
couple of years. We recently ran Mayhem on almost all ELF binaries of
Debian Wheezy (~23K binaries) [2], and it reported thousands of
crashes.
Our goal here is to make our bug reports as complete and accurate as
possible. To minimize duplicates, we are reporting only one crash per
binary, and at most 5 crashes per package. This amounts to ~1.2K
crashes. Moreover, to ensure accuracy, we confirmed all the crashes by
re-running them in a fresh unstable installation. Finally, we also
filter out assertion failures for now, as they seemed less important.
In short, every report is reproducible and actionable.
You can download the list of affected packages, with their maintainers
[3], generated with dd-list, as well as a sample bug report for
gcov-4.6 [4]. The bug report contains:
1) the bug report that will be mailed to [email protected]
(report.txt)
2) a testcase reproducing the crash in ./crash/
3) information about the crash in ./crash_info/: a core dump (core),
the output of the crash (crash_output.txt), the dmesg of the crash
(dmesg.txt), as well as the exit status (exit_status.txt).
This is a lot of bugs, and we want to make sure we're doing bug
reports right, so that we don't make anyone angry by spamming the BTS
with bad reports. Please let us know if the reports are good enough to
proceed with the filing, or if any additional information should be
included in the report.
Thanks,
The Mayhem Team
Cylab, Carnegie Mellon Univeristy
[1] http://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf
[2] http://forallsecure.com/summaries
[3] http://forallsecure.com/reports/dd-list.txt
[4] http://forallsecure.com/reports/gcov-4.6-report.tar.bz2